30 Sep 2020

New Zealand businesses unaware of online security laws - CERT NZ

7:51 pm on 30 September 2020

Many companies rushing to set up e-commerce and online trading have failed to comply with rules protecting customers' data, according to a new survey.

Hands holding credit card and using laptop. Online shopping

Photo: 123RF

The cyber security advisor - CERT NZ - found that 39 percent of businesses with an online store have never heard of the Payment Card Industry Data Security Standard (PCI DSS).

This is a set of international standards businesses should follow to protect customers information through the use of firewalls, proper password protections, and the encryption of customer's data.

The level of ignorance was even higher for firms with a website or operating a website for a small business.

Less than two-thirds of businesses with online stores had heard of the standards, with only 17 percent reporting "a reasonably good understanding of PCI DSS compliance".

CERT NZ director Rob Pope said the results were concerning, although the pressure businesses are under because of Covid-19 might account for some of the laxness.

"It is understandable with these uncertain times through Covid, with the swift uptake of digital retailing, that this may have escaped their attention."

Pope said consumers needed to be assured that retailers had measures in place to protect their card data.

Pope said it would "certainly be a good thing" if retailers were required to disclose if they are PCI DSS compliant on their website, but that it would be best managed by banks in terms of their contractual obligations with retailers.

He said CERT NZ retailers should check with their website developers to ensure they are meeting their requirements.